How can I check when I make a detection rule if another rule has been activated? That is, if I want to make a rule that verifies an incident I would like to check if another rule that is strictly related to IDS has already been activated.
Thank you very much!
you can create rules that point at the signals index .siem-signals-default-*
thing is that query would only be using that index. It is possible to create multiple alerts based on various indexs then create a rule the runs against the .siem-signals-default-*
name the rules with a prefix then use threshold with .siem-signals-default-* to alert of x events with that prefix alert in x minutes.
Thank you !
fwiw, you don't have to do .siem-signals-default-*, you should only have to use .siem-signals-default when you're in the default space as that is an alias which will access all the ILM indexes correctly. If you are in a different space it would be .siem-signals-${space-id} where ${space-id} is the space id you have created.
Please let me know if you are finding this to be a problem and are having to resort to using .siem-signals-default-* with a glob pattern. We made the siem signals detection work with ILM and aliases.
If you are reaching across spaces then it would be .siem-signals* or siem-signals-${space-id1},siem-signals-${space-id2} when setting up Kibana indexes with regards to dashboards. Then just setup your permissions per space according to your use cases.
With all of that said you could still use a glob like mentioned above, it shouldn't hurt anything major unless you have specific use cases and changes to the existing ILM policies and how you're aging out closed signals.
Ref on ILM:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.